Write-up: DOM XSS in innerHTML sink using source location.search @ PortSwigger Academy

This write-up for the lab DOM XSS in innerHTML sink using source location.search is part of my walkthrough series for PortSwigger’s Web Security Academy.

Learning path: Client-side topics → Cross-site scripting

Lab: DOM XSS in innerHTML sink using source location.search | Web Security Academy

Python script: script.py

Lab description

Steps

The lab application is a blog website with search functionality. The search term is included on the result page.

This is not performed on the server side, but by using client-side JavaScript:

If the search argument is provided, the innerHTML of a span-element is changed dynamically. Inserting JavaScript by using foo<img src="xxx" onerror=alert(document.domain)> as search parameter results in this HTML:

During the rendering of the page, the image fails to load. This in turn will raise the JavaScript `alert` box confirming the XSS vulnerability and updates the lab to

Originally published at https://github.com.

New to Medium? Become a Medium member to access all stories on the platform and support me at no extra cost for you!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!